[Zope] sending a encrypted login URL

Dieter Maurer dieter at handshake.de
Thu Mar 5 15:34:53 EST 2009


Joseph Thomas (s) wrote at 2009-3-5 14:01 -0600:
>Thanks, could you elaborate a bit, I'm somewhat new zope/plone:
>
>I assume we'd need a shared key on both on ore j2ee server and zope

"EVP" (documented in the *nix man pages) supports both symmetical
as well as unsymmetrical encryption.
When you use symmetrical encryption (we do),
you need (of course) a shared secret.

> and
>did you need to create any changes to Plone PAS?

We are not using Plone (GPL) but I think that no changes to Plone PAS
would be necessary (exception in a moment).

Instead of redirecting to "logged_in", you can use a preprocessor
(e.g. "remotelogin") which decrypts the information and then calls "logged_in".

The problem which might force you the change something:
The standard Plone user folders to not provide access to
a cleartext password (for obvious security reasons).
That means when you want to perform a remotelogin to your partner
system, it is not easy to obtain the password for such a remote
login. Your partner system may have the same problem when it
performs a remote login to Plone.


You can use an SSO solution, e.g. CAS.
When I have understood correctly, there are PAS plugins supporting CAS.


You can also change the PAS plugin that stores the user identification
such that is also stores the password (e.g. in the session)
such that you can retrieve it for a remote login.



-- 
Dieter


More information about the Zope mailing list